As April 17th (US) and April 30th (Canada) near, cyber scammers are pulling out all their tax scams to trick consumers and capitalize on the flurry of activity. Our friends over at Proofpoint say that this time of year, [they have] tracked malware distribution in addition to the customary phishing schemes among the email threats related to federal taxes.

The IRS is also urging people to remember that “the IRS doesn't initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. In addition, IRS does not threaten taxpayers with lawsuits, imprisonment or other enforcement action.”

So to help our clients stay vigilant, we’re highlighting some recent phishing tricks and sharing phishing flags every employee should recognize.

IRS Phishing and Malware Scam Examples

Example 1: Malware Distribution

This first example centers on malware delivery and was identified by the Proofpoint1 researchers who analyzed numerous tax/IRS-related phishing emails. In this IRS phishing campaign, the recipient was asked to read the IRS Privacy Policy, which was attached to the email (hint: don’t open unexpected attachments!). With this campaign, once the attachment was opened and the embedded macros where enabled, the macros downloaded malware (Dridex botnet ID 1105).

Example 2: IRS Phishing Email + Webpage

The next IRS phishing scam example also comes from Proofpoint’s analysts. (Side note, here at Eze Castle we use Proofpoint internally and provide it to our clients.)

Proofpoint says that “tax-themed phishing remained the most popular attack this season. These phishing schemes continue to employ a variety of templates and attack styles and, for the first time, adopted some of the more sophisticated approaches [Proofpoint has] previously observed in Gmail and PayPal phishing schemes.

The following image highlights an email claiming to be from the IRS (note the domain is not a valid US government top-level domain (i.e. .gov).

Proofpoint also states that “the attached document “IRS-gov Copyright.html” is a phishing page that sends the personal information collected in the form back to the attacker. The use of HTML attachments rather than links is not a novel approach, but in this case the stolen branding and template used accurately mirror real pages from irs.gov. The email lure, despite some grammatical errors, also effectively uses the stolen IRS branding and imparts a sufficient sense of urgency to encourage users to submit the form.”

Red Flags to Help Avoid Tax Season Phishing & Malware Scams

Phishing attempts can occur via email, phone, instant message, SMS or social media. Here’s what to look out for:

Check the sender email address as well as “to” and “cc” fields

Is it personalized? Be wary of generic greetings

Improper spelling and grammar can be giveaways as well

An overwhelming sense of urgency requesting personal information

Links! Only click on those that you are expecting (same goes for attachments)

Suspicious emails from trusted sources can happen. If your friend/colleague sends a strange message, their account may have been attacked.

Be aware that landing on the wrong website can expose a firm to risks, so be on the lookout for these signs that could signal it is a malicious site:

Check for the presence of an address, phone number and/or email contact

Check the web address for misspellings, extra words, characters or numbers that seem off or suspicious

Roll your mouse pointer over a link to reveal its true destination, displayed in the bottom left corner of your browser

If there is NO padlock in the browser window or ‘https://’ at the beginning of the web address to signify that it is using a secure link, do not enter personal information on the site

Be wary of websites that request lots of personal information

Avoid ‘pharming’ by checking the address in your browser's address bar after you arrive at a website to make sure it matches the address you typed

Be wary of websites that are advertised in unsolicited emails from strangers